Oracle vs. the hackers
As the annual Black Hat security conference takes place in Las Vegas this week, a certain opinion piece published on News.com is being kicked around in the blogosphere--and I do mean kicked.
The column, written by Oracle's chief security officer, defends corporate security efforts and takes to task some of the "security researchers" (aka hackers) who expose flaws in software manufactured by her company and others. Needless to say, the criticism has been less than welcome in many circles.
Already this week, security researchers at Black Hat are planning to discuss flaws in Oracle software. It will be interesting to see if more bugs are found in Oracle products as the column makes the rounds, especially given the company's boastful claims of software in years past.
Blog community response:
"It is interesting that she tries to justify Oracle's timescales, which is fair enough--her argument is good but she doesn't actually explain why it takes 2 years to fix bugs."
--Pete Finnegan's Oracle security weblog
"I don't think I would have taken her approach, for two reasons. One is that it's going to inflame the Black Hat crowd, and will undoubtedly result in Oracle's vulns getting much more press than they would otherwise--remember, the tech press loves controversy."
"'We believe the most effective way to protect customers is to avoid disclosing or publicizing vulnerabilities before a patch or workaround has been developed' (Oracle). Seriously, does Oracle think it's in the best interest of their customers to keep them in the dark?!"